Tuesday, June 26, 2012

"In addition, we observed a scheme known as “transaction poisoning” that targeted a well-known online escrow company. Rather than initiating new wire transactions on behalf of infected victims, the scheme would silently modify transactions initiated by the legitimate account holder. The original transactions were intended to go from a North American account to a recipient in the United Kingdom to fund an escrow account for auctioned vehicles. Instead, the funds were diverted to a mule account (see Figures 6 & 7).

This attack used a remote script that injected the necessary information behind the legitimate data, so the fraudulent transfer was invisible to the account holder. The script altered the following fields:

1. Bank Name

2. Sort Code

3. Swift Code

4. IBAN code

5. Account Number

6. Beneficiary Address"

We saw it coming. That's a very efficient way to deal with banks that apply two-factor authentication to each transaction.